Skip to main content
Intelligence
DPA template — Article 28 GDPR

Data Processing Agreement

Standard processor agreement template entered into between Zedream Ltd ("HUMAIN") and the customer using the platform. For a version counter-signed by both parties, please email privacy@humain-01.com.

1. Parties

Processor : Zedream Ltd, a company registered in the United Kingdom under number 15531321, operating the HUMAIN platform (hereinafter "the Processor").

Controller : the legal entity or individual who has subscribed to the HUMAIN service, as identified in the terms of service or the order (hereinafter "the Controller").

2. Subject matter

This agreement governs the processing of personal data carried out by the Processor on behalf of the Controller in connection with the provision of the HUMAIN service, in accordance with Article 28 of the UK GDPR and Regulation (EU) 2016/679 (EU GDPR).

3. Term

This agreement takes effect on the date the terms of service are accepted and remains in force for the entire duration the service is provided. It terminates automatically upon termination of the main contract.

4. Nature and purpose of processing

  • Nature: collection, storage, transmission and automated processing through large language models (LLMs).
  • Purpose: providing the Controller with a multi-agent assistant operating on its behalf (drafting, scheduling, automation).
  • Types of data processed: identification data (name, email), professional data (role, company), content exchanged with the agents (messages, files), technical data (logs, metadata).
  • Categories of data subjects: users of the Controller and third parties whose data is entered into the platform by the Controller.

5. Obligations of the Processor

The Processor undertakes to:

  • Process the data only on the Controller's documented instructions.
  • Ensure confidentiality from any personnel authorised to access the data.
  • Implement the technical and organisational measures described in Article 7 (security).
  • Assist the Controller in fulfilling its obligations (responses to data-subject requests, notifications, data protection impact assessments).
  • Delete or return the data at the end of the contract (see Article 10).
  • Make available to the Controller the documentation required to demonstrate compliance with this agreement.

6. Sub-processing

The Controller authorises the Processor to use the sub-processors listed on the Trust Center page (including OpenAI, Anthropic, Supabase, Vercel, Stripe, Resend). Any change will be notified at least 30 days before it takes effect, and the Controller has a reasoned right to object.

7. Security

The Processor implements the following measures:

  • Encryption of data at rest (AES-256) and in transit (TLS 1.3).
  • Postgres Row Level Security (RLS) ensuring tenant isolation.
  • Strong authentication for administrator accounts.
  • Logging of access to sensitive data.
  • Encrypted backups with limited retention.
  • Incident-management policy (see Article 8).

8. Personal data breach notification

In the event of a personal data breach affecting the processing covered by this agreement, the Processor will notify the Controller within 72 hours of becoming aware of it, providing the nature, volume, likely consequences and measures taken, in accordance with Article 33 of the GDPR.

9. International transfers

Some sub-processors are established outside the UK / EEA (in particular the United States). Transfers are carried out on the basis of the Standard Contractual Clauses adopted by the European Commission (Decision 2021/914) and the UK International Data Transfer Agreement (IDTA) or UK Addendum, supplemented where necessary by additional technical measures.

10. Return and deletion

On expiry of the contract, and according to the Controller's instructions, the Processor will:

  • Return all data in a structured, commonly used format, or
  • Destroy it within a maximum of 30 days, unless required by law to retain it.

A certificate of destruction is provided on request.

11. Audit

The Controller may request, once a year, the documentation evidencing compliance with the obligations under this agreement (SOC 2 and ISO 27001 reports when available, records of processing activities). Any on-site audit must be negotiated with reasonable notice and at the Controller's expense.

12. Governing law

This agreement is governed by the law applicable to the main contract, consistently with the UK GDPR, the EU GDPR and, where applicable, Quebec's Law 25 and Canada's PIPEDA.

13. Contact

For any question about this DPA or to obtain a counter-signed version: privacy@humain-01.com.

Version 1.0 — Last updated: 23 May 2026 · Zedream Ltd, Company No. 15531321 (UK)

Request a signed DPA

To receive a counter-signed PDF version applicable to your contract, send a request to our Privacy team.

Request signed DPA
Data Processing Agreement (DPA) | HUMAIN